[CLOSED] No CSRF protection on forms

NukeRusich / Narodi-Issue-Tracker

Submit issues for Ekunia Narodi; initial import of NodeBB issues.

http://ekunia.com

0 stars 0 forks source link

[CLOSED] No CSRF protection on forms #8

Closed NukeRusich closed 9 years ago

NukeRusich commented 9 years ago

Issue by damianb Wednesday Jun 19, 2013 at 12:01 GMT Originally opened as https://github.com/NodeBB/NodeBB/issues/8

As stated above, there's zero csrf protection. This can be done in express already with express.csrf (reference express documentation).

NukeRusich commented 9 years ago

Comment by damianb Thursday Jun 20, 2013 at 16:49 GMT

Perhaps some sort of nonce-based protection should be considered for anything websocket-based as well, unless it's intended to go over WSS...

NukeRusich commented 9 years ago

Comment by julianlam Thursday Jun 20, 2013 at 16:59 GMT

It would definitely make sense to have Socket.IO go over wss:// for HTTPS connections. For now, we authorize user socket sessions using a signed cookie.